Abstract for: A financial evaluation of DDOS defences dynamics from an organisational perspective: how long will these defences hold?

This paper reports on the financial evaluation of DDOS reference architecture and associated policies settings using system dynamics. DDOS peak attack capacity and cyber security costs have been growing exponentially over time. This raises the question which structure explains investment behaviour in this area. We believe system dynamics modelling is appropriate due to cyber security due to its dynamic complexity in this field. This complexity follows from attacker-defender interaction and the response of the resilient organisation. We identified relevant security metrics, their (delayed) interrelations and resulting feedback loops. By capturing this structure in an investment model we were able to cope with the often observed difficulty in the field of cyber security of estimating financial impact of policy settings. We were able to align DDOS defence measures effectiveness with vulnerabilities and (potential) impacts of DDOS attacks in the model. Our model reveals tipping points in long term financial performance which indicate important changes in policy effectiveness. We believe a rat race between attacker and defender by increasing defence capacity over time is not sustainable. Based on our initial model simulation we analyse six alternative solutions.